Expert Week: Alexander Hanff

2 August 2017 by Al McCloud

Welcome to day three of our first Expert Week. We like to be in a constant state of learning here at UKFast, and there’s no better way to educate ourselves than spending time in the company of experts. With cybersecurity at the top of the agenda for every online business, it seems the perfect time to get up to speed with all the ways that an attack can strike.

Our third of five of experts over five days is Alexander Hanff. Alexander is the creator of cybersecurity websitePrivacy News and a privacy activist. Alexander has been involved with ePrivacy for over 10 years, having been involved with Privacy International, Think Privacy Inc. and developing cookie law.

Here’s our chat with Alexander:

As a former hacker now working to improve online privacy, was there a moment which made you realise just how under threat we are?

I returned to university in 2006 to study the impact of technology on society as a social scientist. My studies were focused on ethics, human rights and surveillance – this was really the pivot point for me.

Has the definition of the hacker broadened or is it shrinking? What would you consider the fundamentals of ‘hacking’?

The definition has definitely expanded, even back in the 80s & 90s it was always expanding. I guess we started as phreakers then became “hackers” as technology evolved and the “theatre” grew. But the basic historical definition is still relevant to most of us. What has changed more is the use of context by the rest of society (especially law enforcement) in order to group multiple different activities under 1 generic heading (hackers).

In my mind the fundamentals of hacking are investigating systems (all types of systems) to understand how they work – any extension of that purpose is dependent of the values and intent of the hacker. Some hackers go no further that that understanding, others try to improve, others seek to exploit flaws.

Nowadays I am more of a policy hacker – I have spent 15 years investigating systems of law in order to understand how they work and improve them. It is not so different to hacking in the technical sense.

Cybersecurity is becoming more mainstream, but are there any blind spots which you think the general public need to be more aware of?

Communications security is a very significant concern which is why I have worked so hard to influence policy on this issue over the past decade.

Technology has made it increasingly easy to communicate with each other no matter where we are physically located – but technology has also made it much easier to monitor those communications.

Governments like this because it gives them more power and control but it is a real risk to the fundamental rights of citizens and in turn democracy. The impact on our private lives, free expression, free movement and the choices we might make regarding our relationships, political affiliation and more can be interfered with if we know we are constantly being monitored.

Furthermore, our communications and meta data associated with them, tell a very detailed story of who we are and what we do, our social graphs and our beliefs.

A prime example of the risks can be seen in recent democratic events such as Brexit, the election of Donald Trump and the U.K. General Election – where behavioural profiling by companies such as Cambridge Analytica was used to influence the way people would vote through what can only be described as psychological manipulation.

We need much stricter rules on the collection and use of personal and communications data to ensure our fundamental rights are protected and our democratic system is not undermined.

Do you think there will be a day when average internet users will have true privacy? What’s needed to achieve that?

Wow, hard question. I think I need to change think to hope. I certainly hope we will and I fight for that every single day. I think the future is a very dark place if we don’t continue to strive towards that and I want to believe that as a species we will eventually realize why it is so important and take the steps we need to take as a society to make that happen. I will keep trying, all I can ask is you and your readers do the same.

Is attack or defence the best approach for cybersecurity? Is hacking the hackers the answer?

We need to develop better infrastructure and more robust systems. I am a pacifist, I don’t believe in violence (not even in the context of cyber attacks) but I am also aware that there will always be a struggle for power no matter how enlightened we become.

Locking systems down, minimizing data collection and retention, using strong encryption, increasing awareness of attack vectors such as phishing, malware & social engineering will go a long way to reducing these threats. And to be clear this awareness raising should begin at a young age not just to protect children but to shape the minds of our future engineers, politicians, law makers etc. because we are at great risk of normalizing surveillance for the current generation and that is the already the bottom of the proverbial “slippery slope”.

Could a hack, breach or flaw be severe enough to jeopardise the internet at large?

Of course, we see this frequently where core network bottlenecks are hit by attacks (both directly and incidentally) – but these issues are only ever temporary. I think probably the biggest potential future threat would be an electro-magnetic event (either man-made or natural) but such an event would have far more serious consequences than just taking down the Internet.

Most attackers with the resources for a direct attack on the Internet (state actors) don’t actually want to shut the internet down, they just want to infiltrate it for their own uses (surveillance, propaganda, undermining other states etc.).

Do we need more international regulation to keep us safe?

Without question…. but also robust enforcement.

Zero compromise when securing your data

PROsecure™ is our comprehensive security suite, combining the latest technology products with in-house expertise to ensure that threats are identified, neutralised and diagnosed.